LTM 11.3 with APM: smart card authentication not working

Wow. I am incredibly impressed with the insightful F5 DevCentral community. I wasn't expecting such an in-depth treatment of the processes involved in smartcard authentication integration with Citrix XenApp here. Very well done, Kevin (and Greg). I'm new to F5 DevCentral and I'll be on the lookout for your future contributions. And, hopefully my pain in this instance can be someone else's gain.

Now, I follow everything except the very last sentence. We've got an APM AAA Server object for our first AD domain, but I don't know how that will "retrieve the user's sAMAccountName" from AD and supply it to the Kerberos SSO. With NetScalers, we create an "Authentication Server" for every domain where we perform authentication (smart card or otherwise). So, if there are 30 different AD domains, we would need at least 30 unique "Authentication Server" objects. We associate those "Authentication Servers" with "Authentication Policy" objects, which we bind to our Access Gateway Virtual Server. For this account, there are 7 different domains that have been identified so far. I wanted to get the first one completed and then add the others once the first has been tested successfully. Now, I think we've already configured what you've recommended with our current LTM/APM configuration. And that wasn't entirely my doing: it was the latest iApp template and the granular instructions in the Deployment Guide for Citrix, but we'll see. I'll let everyone know how it goes on Monday.

Very insightful response. Thanks, much-